SuSEfirewall script hardcodes ip_conntrack_max

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

SuSEfirewall script hardcodes ip_conntrack_max

Ashley Gould-2
SL9.1 and SLES9

Extreme use of our webservers during online application season requires
we set the /proc/sys/net/ipv4/ip_conntrack_max very high (= 65536).  I
tried to make this setting persistant between reboots by means of
/etc/sysctl.conf and boot.sysctl init script.  But each reboot left
ip_conntrack_max = 16384.

After much hair-pulling, I finally discoverd the script
/sbin/SuSEfirewall2 contains the line:

  echo 16384 > /proc/sys/net/ipv4/ip_conntrack_max


It think this is bad bad bad.  Perhaps this should be a variable
controlled by yast or some file in /etc/sysconfig.  But this should not
be hard-coded into the script.  I don't see this in SL9.3 or SLES10.  I
have altered this line in /sbin/SuSEfirewall2 to get the
ip_conntrack_max value I need, but what will happen after next update to
SuSEfirewall2 rpm?

I realize SL9.1 is out of maintenace, so this is essencially a SLES9
issue.  If you think it best, I will contact SLES support instead and
let this list rest.



--

-ashley

Did you try poking at it with a stick?


--
Check the headers for your unsubscription address
For additional commands, e-mail: [hidden email]
Security-related bug reports go to [hidden email], not here